[CLOYSTER-57] Implement fail2ban

example.answerfile.ini

@@ -100,3 +100,7 @@ bmc_address=10.0.0.2
 # Optional: NVIDIA HPC SDK
 #[nvhpc]
 #enabled=0
+
+# Optional: fail2ban-firewalld
+#[fail2ban]
+#enabled=0

include/cloysterhpc/NFS.h

@@ -38,12 +38,14 @@ class NFS : public IService {
         const boost::asio::ip::address& address,
         const std::string& permissions);
 
+    void install() final {};
+
     /**
      * @brief Configures the NFS service with the specified settings.
      */
-    void configure();
+    void configure() final;
 
-    /**
+     /**
      * @brief Enables the NFS service.
      */
     void enable() final;

include/cloysterhpc/answerfile.h

@@ -6,10 +6,11 @@
 #ifndef CLOYSTERHPC_ANSWERFILE_H_
 #define CLOYSTERHPC_ANSWERFILE_H_
 
-#include "cloysterhpc/tools/ITool.h"
 #include "os.h"
 #include <boost/asio.hpp>
 #include <cloysterhpc/inifile.h>
+#include <cloysterhpc/services/IService.h>
+#include <cloysterhpc/tools/ITool.h>
 #include <optional>
 #include <utility>
 #include <vector>
@@ -132,6 +133,7 @@ class AnswerFile {
     };
 
     std::vector<std::shared_ptr<ITool>> m_tools;
+    std::vector<std::shared_ptr<IService>> m_services;
 
     std::filesystem::path m_path;
     inifile m_ini;
@@ -216,6 +218,8 @@ class AnswerFile {
     void loadNodes();
     void loadTools();
     void loadNVHPC();
+    void loadServices();
+    void loadFail2ban();
     bool checkEnabled(const std::string& section);
     /**
      * @brief Loads the settings for a specific node.
@@ -290,6 +294,7 @@ class AnswerFile {
      */
     void loadFile(const std::filesystem::path& path);
     std::vector<std::shared_ptr<ITool>> getTools();
+    std::vector<std::shared_ptr<IService>> getServices();
 
     AnswerFile();
     explicit AnswerFile(const std::filesystem::path& path);

include/cloysterhpc/services/IService.h

@@ -8,12 +8,14 @@
 
 class IService {
 protected:
+    [[maybe_unused]] virtual void configure() = 0;
+
+public:
+    [[maybe_unused]] virtual void install() = 0;
     virtual void enable() = 0;
     [[maybe_unused]] virtual void disable() = 0;
     virtual void start() = 0;
     [[maybe_unused]] virtual void stop() = 0;
-
-public:
     virtual ~IService() = default;
 };
 

include/cloysterhpc/services/fail2ban.h

@@ -0,0 +1,25 @@
+/*
+ * Created by Lucas Gracioso <[email protected]>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef CLOYSTERHPC_FAIL2BAN_H_
+#define CLOYSTERHPC_FAIL2BAN_H_
+
+#include <cloysterhpc/functions.h>
+#include <cloysterhpc/services/IService.h>
+#include <cloysterhpc/services/log.h>
+
+class fail2ban : public IService {
+private:
+    void configure() override;
+
+public:
+    void install() override;
+    void enable() override;
+    void disable() override;
+    void start() override;
+    void stop() override;
+};
+
+#endif // CLOYSTERHPC_FAIL2BAN_H_

src/answerfile.cpp

@@ -4,6 +4,7 @@
  */
 
 #include "cloysterhpc/answerfile.h"
+#include "cloysterhpc/services/fail2ban.h"
 #include "cloysterhpc/services/log.h"
 #include "cloysterhpc/tools/nvhpc.h"
 #include <boost/algorithm/string/classification.hpp>
@@ -321,8 +322,24 @@ void AnswerFile::loadNVHPC()
     m_tools.emplace_back(std::make_shared<NVhpc>());
 }
 
+void AnswerFile::loadServices() { loadFail2ban(); }
+
+void AnswerFile::loadFail2ban()
+{
+    if (!checkEnabled("fail2ban")) {
+        return;
+    }
+
+    m_services.emplace_back(std::make_shared<fail2ban>());
+}
+
 std::vector<std::shared_ptr<ITool>> AnswerFile::getTools() { return m_tools; }
 
+std::vector<std::shared_ptr<IService>> AnswerFile::getServices()
+{
+    return m_services;
+}
+
 #ifdef BUILD_TESTING
 #include <cloysterhpc/tests.h>
 

src/cluster.cpp

@@ -665,6 +665,11 @@ void Cluster::fillData(const std::string& answerfilePath)
         tool->install();
     }
 
+    for (const auto& service : answerfile.getServices()) {
+        service->install();
+        service->enable();
+    }
+
     LOG_TRACE("Configure Nodes")
     for (auto node : answerfile.nodes.nodes) {
 

src/services/fail2ban.cpp

@@ -0,0 +1,57 @@
+/*
+ * Created by Lucas Gracioso <[email protected]>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <cloysterhpc/inifile.h>
+#include <cloysterhpc/services/fail2ban.h>
+
+void fail2ban::install()
+{
+    LOG_TRACE("Installing fail2ban");
+    cloyster::runCommand("dnf -y install fail2ban-firewalld");
+    configure();
+}
+
+void fail2ban::configure()
+{
+    std::filesystem::path dest = "/etc/fail2ban/jail.local";
+
+    inifile configfile;
+
+    configfile.loadData(
+        "[DEFAULT]\n"
+        "# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):\n"
+        "bantime = 86400\n"
+        "  \n"
+        "# An IP address/host is banned if it has generated \"maxretry\" "
+        "during the last \"findtime\" seconds.\n"
+        "findtime = 600\n"
+        "maxretry = 3\n"
+        "  \n"
+        "# \"ignoreip\" can be a list of IP addresses, CIDR masks or DNS "
+        "hosts. Fail2ban\n"
+        "# will not ban a host which matches an address in this list. Several "
+        "addresses\n"
+        "# can be defined using space (and/or comma) separator. For example, "
+        "add your\n"
+        "# static IP address that you always use for login such as 103.1.2.3\n"
+        "#ignoreip = 127.0.0.1/8 ::1 103.1.2.3\n"
+        "  \n"
+        "# Enable sshd protection\n"
+        "[sshd]\n"
+        "enabled = true\n");
+
+    configfile.saveFile(dest);
+}
+
+void fail2ban::enable()
+{
+    cloyster::runCommand("systemctl enable --now fail2ban");
+}
+
+void fail2ban::disable() { cloyster::runCommand("systemctl disable fail2ban"); }
+
+void fail2ban::start() { cloyster::runCommand("systemctl start fail2ban"); }
+
+void fail2ban::stop() { cloyster::runCommand("systemctl stop fail2ban"); }